Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compile-time object_size checks as with FORTIFY _chk #40

Closed
rurban opened this issue Jan 17, 2018 · 0 comments
Closed

Add compile-time object_size checks as with FORTIFY _chk #40

rurban opened this issue Jan 17, 2018 · 0 comments
Assignees
@rurban
Labels
enhancement
Milestone
3.3

Comments

@rurban
Copy link
Owner

rurban commented Jan 17, 2018
edited
Loading

With newer compilers and -D_FORTIFY_SOURCE>=2 check the dmax sizes at compile-time against __builtin_object_size (=BOS) compiler builtins, similar to the glibc and Bionic FORTIFY _chk functions, with gcc and newer clang. Just at compile-time already, not at run-time.

Add compile-time errors and warnings, and run-time warnings on --enable-warn-dmax if the 2 sizes deviate.

With clang-7 even add compile-time warnings and errors, without clang-7/diagnose_if defer to run-time.
The compile-time warning is a -Wuser-defined-warnings, and may be suppressed or increased to -Werror.

  • error with "dmax exceeds dest" if dmax>BOS(dest). overflow even if dmax < RSIZE_MAX
  • warn with ESLEWRNG "Wrong dmax" if dmax!=BOS(dest) with --enable-warn-dmax or clang-7.

A fatalized ESLEWRNG does not clear dest.

This might catch more wrong dmax, smax args, when the object-size is known at compile-time.
It it does no harm writing them out explicitly at the user call-site, it's even better. Yes, glibc disagrees, for the additional arg pass-thru performance hit. It's one single register/stack write.
An object may suddenly be dynamically malloced, and then glibc turns insecure, we not.

e.g.

char *dest[80];
strcpy_s(dest, 79, "1");

=> "strcpy_s: wrong dmax 79, dest has size 80" warnings to the invoke_safe_str_constraint_handler, only visible if a handler is installed.

See https://android-developers.googleblog.com/2017/04/fortify-in-android.html
esp. the new diagnose_if https://clang.llvm.org/docs/AttributeReference.html#diagnose-if
rurban added a commit that referenced this issue Feb 6, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
d880e30 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 6, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
43de98f 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 6, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
d56cc7a 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 6, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
fe3ce98 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 6, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
9853a93 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 7, 2018
@rurban
Add ESLEWRNG, HAVE_WARN_DMAX to strncpy_s, strncat_s
3cc724e 
and foresee an --enable-error-dmax/HAVE_ERROR_DMAX option.
See GH #40
rurban added a commit that referenced this issue Feb 7, 2018
@rurban
Add ESLEWRNG, HAVE_WARN_DMAX to strncpy_s, strncat_s
7b2ee9f 
and foresee an --enable-error-dmax/HAVE_ERROR_DMAX option.
See GH #40
rurban added a commit that referenced this issue Feb 8, 2018
@rurban
Add ESLEWRNG, HAVE_WARN_DMAX to strncpy_s, strncat_s
45e8cb2 
and foresee an --enable-error-dmax/HAVE_ERROR_DMAX option.
See GH #40
@rurban rurban mentioned this issue Feb 17, 2018
Open
@rurban rurban added this to the 3.3 milestone Feb 17, 2018
@rurban rurban self-assigned this Feb 17, 2018
@rurban rurban mentioned this issue Feb 17, 2018
Closed
rurban added a commit that referenced this issue Feb 25, 2018
@rurban
Last _chk conversion for wcsnorm*_s
7156f2a 
Closes #40.

Todo: Now the msvcrt checks can be switched back to compile-time,
and #ifdef's.
rurban added a commit that referenced this issue Feb 26, 2018
@rurban
Enable diagnose_if compile-time wrong dmax warnings
9f960d0 
sizeof(dest)!=dmax checks as user-defined warnings (clang).
when __builtin_object_size returns the known object size.
See GH #40

e.g.:
test_strcoll_s.c:81:39: warning: wrong dmax [-Wuser-defined-warnings]
    rc = strcoll_s(str1, 0, str2, &ind);
rurban added a commit that referenced this issue Feb 26, 2018
@rurban
Add ESLEWRNG, HAVE_WARN_DMAX to strncpy_s, strncat_s
867fb77 
and foresee an --enable-error-dmax/HAVE_ERROR_DMAX option.
See GH #40
@rurban rurban closed this as completed in 7d0a687 Feb 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rurban rurban

Labels
enhancement
Projects
None yet
Milestone
3.3
Development

No branches or pull requests
1 participant
@rurban